PPTX

```CS461/ECE422
Spring 2012

Commercial Symmetric systems
 DES
 AES

Modes of block and stream ciphers
1/31/12
Nikita Borisov — UIUC
2


Chapters 2 and 20 from text.
AES Standard issued as FIPS PUB 197
 http://csrc.nist.gov/publications/fips/fips197/fips-
197.pdf

Handbook of Applied Cryptography,
Menezes, van Oorschot, Vanstone
 Chapter 7
 http://www.cacr.math.uwaterloo.ca/hac/
1/31/12
Nikita Borisov — UIUC
3

E encipherment function
 Ek(b) encipherment of message b with key k
 In what follows, m = b1b2 …, each bi of fixed length

Block cipher
 Ek(m) = Ek(b1)Ek(b2) …

Stream cipher
 k = k1k2 …
 Ek(m) = Ek1(b1)Ek2(b2) …
 If k1k2 … repeats itself, cipher is periodic and the
length of its period is one cycle of k1k2 …
1/31/12
Nikita Borisov — UIUC
4

Vigen&egrave;re cipher
 |bi| = 1 character, k = k1k2 … where |ki| = 1 character
 Each bi enciphered using ki mod length(k)
 Stream cipher

DES
 |bi| = 64 bits, |k| = 56 bits
 Each bi enciphered separately using k
 Block cipher
1/31/12
Nikita Borisov — UIUC
5




Key desirable property of an encryption
algorithm
Where a change of one input or key bit results
in changing approx half of the output bits
If the change were small, this might provide a
way to reduce the size of the key space to be
searched
DES exhibits strong avalanche
1/31/12
Nikita Borisov — UIUC
7

A block cipher:
 encrypts blocks of 64 bits using a 56 bit key
 outputs 64 bits of ciphertext

A product cipher
 basic unit is the bit
 performs both substitution (S-box) and
transposition (permutation) (P-box) on the bits

Cipher consists of 16 rounds (iterations) each
with a round key generated from the usersupplied key
Slide #9-8
1/31/12
Nikita Borisov — UIUC
8

Structured to enable use of same S-box and
P-box for encryption and decryption
 Change only key schedule

Major feature is key division and swapping
 L(i) = R(i-1)
 R(i) = L(i-1) xor f(K(i), R(i-1))
1/31/12
Nikita Borisov — UIUC
9
1/31/12
Nikita Borisov — UIUC
10
1/31/12
Nikita Borisov — UIUC
11
input
IP
L0
R0

f
K1
R1 = L0  f(R0 , K1)
L1 = R0
L16 = R15
R16 = L15 - f(R15, K16)
Š1
IP
output
Slide #9-13
1/31/12
Nikita Borisov — UIUC
13
R iŠ1 (32 bits)
Ki (48 bits)
E

R iŠ1 (48 bits)
S1
S2
S3
S4
6 bits into each
S5
S6
S7
S8
4 bits out of each
P
32 bits
Slide #9-14
1/31/12
Nikita Borisov — UIUC
14


Key non-linear element to DES security
have eight S-boxes which map 6 to 4 bits
 outer bits 1 &amp; 6 (rowbits) select one rows
 inner bits 2-5 (colbits) select column
 result is 8 lots of 4 bits, or 32 bits

row selection depends on both data &amp; key
 feature known as autoclaving (autokeying)

example:
 S(18 09 12 3d 11 17 38 39) = 5fd25e03
1/31/12
Nikita Borisov — UIUC
15



decrypt must unwind steps of data
computation
with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)
note that IP undoes final FP step of
encryption
 1st round with SK16 undoes 16th encrypt round
 ….
 16th round with SK1 undoes 1st encrypt round

then final FP undoes initial encryption IP thus
recovering original data value
1/31/12
Nikita Borisov — UIUC
16

Considered too weak
 Diffie, Hellman said in a few years technology
would allow DES to be broken in days
▪ Design using 1999 technology published
 Design decisions not public
▪ NSA controlled process
▪ Some of the design decisions underlying the S-Boxes are
unknown
▪ S-boxes may have backdoors
▪ Key size reduced from 112 bits in original Lucifer design
to 56 bits
1/31/12
Nikita Borisov — UIUC
17

4 weak keys
 They are their own inverses
 i.e. DESk(m) = c DESk (c) = m
 All 0’s. All 1’s. First half 1’s second half 0’s. Visa versa.

12 semi-weak keys
 Each has another semi-weak key as inverse
 i.e. DESk1(m) = c DESk2 (c) = m

Possibly weak keys
 Result in same subkeys being used in multiple rounds

Complementation property
 DESk(m) = c DESk (m ) = c
1/31/12
Nikita Borisov — UIUC
18



What do you need?
How many steps should it take?
How can you do better?
1/31/12
Nikita Borisov — UIUC
19

Double encryption not generally used
 Meet-in-the-middle attack
 C = Ek2(Ek1(P))
 Modifies brute force to require only 2n+1 steps instead of
22n

Encrypt-Decrypt-Encrypt Mode (2 or 3 keys: k, k )
 c = DESk(DESk –1(DESk’’(m)))
 Also called Triple DES or 3DES when used with 3 keys
 168 bits of key, but effective key length of 112 due to
meet-in-the middle
 Not yet practical to break but AES much faster

Encrypt-Encrypt-Encrypt Mode (3 keys: k, k , k )
 c = DESk(DESk (DESk (m)))
1/31/12
Nikita Borisov — UIUC
20

Was not reported in open literature until 1990
 Tracks probabilities of differences inputs
matching differences in outputs

Chosen ciphertext attack
1/31/12
Nikita Borisov — UIUC
21

Build table of probabilities of inputs and
outputs per round
 ∆mi+1 = mi+1 xor m’i+1
 ∆mi+1 = [mi-1 xor f(mi,Ki)] xor [ m’i-1 xor f(m’i, Ki)]
 ∆mi+1 = ∆mi-1 xor [f(mi,Ki) xor f(m’i, Ki)]

Compose probabilities per round
1/31/12
Nikita Borisov — UIUC
22

Revealed several properties
 Small changes in S-boxes reduces the number of
pairs needed
 The method was known to designer team as early
as 1974

Not so useful to break DES
 But very useful to analyze the security of Feistel
Network systems
1/31/12
Nikita Borisov — UIUC
23

Lucifer – IBM precursor to DES
 Broken in 30 pairs

FEAL-N
 DES with different numbers of iterations
 FEAL-4 broken in 20 pairs
 FEAL-8 broken in 10,000 pairs


DES with 15 rounds broken in 252 tests
DES with 16 rounds broken in 258 tests
1/31/12
Nikita Borisov — UIUC
24
A design for computer system and an associated
software that could break any DES-enciphered
message in a few days was published in 1998
 Several challenges to break DES messages
solved using distributed computing
 National Institute of Standards and Technology
(NIST) selected Rijndael as Advanced Encryption
Standard (AES), successor to DES

 Designed to withstand attacks that were successful
on DES
 It can use keys of varying length (128, 196, or 256)
1/31/12
Nikita Borisov — UIUC
25

Clear a replacement for DES was needed
 Can use Triple-DES –but slow with small blocks

US NIST issued call for ciphers in 1997
 15 candidates accepted in Jun 98
 5 were short-listed in Aug-99

Rijndael was selected as AES in Oct-2000
 issued as FIPS PUB 197 standard in Nov-2001
 http://csrc.nist.gov/publications/fips/fips197/fips-
197.pdf
1/31/12
Nikita Borisov — UIUC
26

Private key symmetric block cipher
 128-bit data, 128/192/256-bit keys





Stronger &amp; faster than Triple-DES
Active life of 20-30 years (+ archival use)
Provide full specification &amp; design details
Both C &amp; Java implementations
NIST have released all submissions &amp;
unclassified analyses
1/31/12
Nikita Borisov — UIUC
27

Initial criteria:
 security –effort to practically cryptanalyse
 cost –computational
 algorithm &amp; implementation characteristics

Final criteria
 general security
 software &amp; hardware implementation ease
 implementation attacks
 flexibility (in en/decrypt, keying, other factors)
1/31/12
Nikita Borisov — UIUC
28
1/31/12
Nikita Borisov — UIUC
29

Designed by Rijmen-Daemenin Belgium
 Has 128/192/256 bit keys, 128 bit data

An iterative rather than Feistel cipher
 treats data in 4 groups of 4 bytes
 4x4 matrix in column major order
 operates an entire block in every round

Designed to be:
 resistant against known attacks
 speed and code compactness on many CPUs
 Simple design
1/31/12
Nikita Borisov — UIUC
30

Can be efficiently implemented on 8-bit CPU
 Byte substitution works on bytes using a table of 256
entries
 Shift rows is simple byte shifting
 Add round key works on byte XORs
 Mix columns requires matrix multiply in GF(28) on
byte values, can be simplified to use a table lookup

Only recently have some cryptoanalysis
techniques been successful.
 Biclique Cryptanalysis of the Full AES
▪ http://research.microsoft.com/enus/projects/cryptanalysis/aesbc.pdf
▪ But not yet a practical concern
1/31/12
Nikita Borisov — UIUC
41


Encipher, decipher multiple bits at once
Each block enciphered independently
 Electronic Code Book Mode (ECB)
1/31/12
Nikita Borisov — UIUC
42

Problem: identical plaintext blocks produce
identical ciphertext blocks
 Example: two database records
▪ MEMBER: HOLLY INCOME \$100,000
▪ MEMBER: HEIDI INCOME \$100,000
 Encipherment:
▪ ABCQZRME GHQMRSIB CTXUVYSS RMGRPFQN
▪ ABCQZRME ORMPABRZ CTXUVYSS RMGRPFQN
1/31/12
Nikita Borisov — UIUC
43
1/31/12
Nikita Borisov — UIUC
44


Insert information about block’s position into
the plaintext block, then encipher
Cipher block chaining (CBC):
 Exclusive-or current plaintext block with previous
ciphertext block:
▪ c0 = Ek(m0 I)
▪ ci = Ek(mi ci–1) for i &gt; 0

1/31/12
where I is the initialization vector
Nikita Borisov — UIUC
45
init. vector
1/31/12
m1
m2


DES
DES
…
c1
c2
…
Nikita Borisov — UIUC
…
46
ciphertext
init. vector
1/31/12
c1
c2
DES
DES


m1
m2
Nikita Borisov — UIUC
…
…
…
47


If one block of ciphertext is altered, the error
propagates for at most two blocks
Initial message
 3231343336353837 3231343336353837
3231343336353837 3231343336353837

Received as (underlined 4c should be 4b)
 ef7c4cb2b4ce6f3b f6266e3a97af0e2c
746ab9a6308f4256 33e60b451b09603d

Which decrypts to
 efca61e19f4836f1 3231333336353837
3231343336353837 3231343336353837
 Incorrect bytes underlined
 Plaintext “heals” after 2 blocks
1/31/12
Nikita Borisov — UIUC
48

Often (try to) implement one-time pad by
xor’ing each bit of key with one bit of
message
 Example:




m = 00101
k = 10010
c = 10111
But how to generate a good key?
1/31/12
Nikita Borisov — UIUC
49






Period estimated to be 1010
Variable length key 1 to 256 bytes
Byte based operations
Very efficient
Array S stores all possible values from 0 to 255
Each step
 Systematically pick a value from S: this is the next key
stream byte
 Permute S

See Schneier’s Solitaire cipher for a pen and
paper analog
 http://www.schneier.com/solitaire.html
1/31/12
Nikita Borisov — UIUC
50
mi-1

ki-1
1/31/12
mi+1
mi
ci-1

E
ki-
Nikita Borisov — UIUC
ci
E

ci+1
ki+1
51
mi-1
ctri-1
EK

ctri
ci-1
1/31/12
mi+1d
mi
EK

ci
Nikita Borisov — UIUC
ctri+1
EK

ci+1
52


Losing Synchronicity is fatal
 All later decryptions will be garbled



OFB needs an initialization vector
Counter mode lets you generate a bit in the
middle of the stream. Lets you operate on
blocks in parallel.
RC4 is a well-known stream cipher. Used in
WEP and SSL
1/31/12
Nikita Borisov — UIUC
53

Symmetric key ciphers
 AES and DES
 Today's workhorse algorithms
 Cryptanalysis attacks on algorithms
 Product ciphers

Stream ciphers
 RC4
 Block ciphers and cipher modes
1/31/12
Nikita Borisov — UIUC
57
```